Wietse Venema via Postfix-users:
> Herbert J. Skuhra via Postfix-users:
> > On Mon, 28 Jan 2019 13:59:23 +0100, Stefan Bauer wrote:
> > >
> > > Hi,
> > >
> > > we would like to go the next step, enable smtp_tls_security_level = dane.
> > > Currently we have encrypt site-wide.
> > >
> > > But in cases where remote sites do not have published key material, the
> > > fallback is may with dane, which is a step back in terms of security and
> > > not wanted.
>
> Encryption without authentication is not 'security'. It just gives
> some privacy.
>
> > Is this possible by now? :-)
> >
> > I guess not, after reading
> > https://www.postfix.org/postconf.5.html#smtp_tls_security_level.
>
> To enable DANE and STS, consider using https://github.com/Zuplu/postfix-tlspol
>
> Then, you should be able to set smtp_tls_security_level=encrypt in
> main.cf. But that would make 'no TLS' a hard error without trying
> alternate MX hosts. To avoid that, use the smtp_dsn_filter example
> in https://www.postfix.org/postconf.5.html#default_delivery_status_filter
Ahem it's the other way around. Level encrypt results in soft errors,
and you want to 'hard' return mail if none of the MXes supports TLS.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
